Legislating Information Protection

Spyware and malicious adware tops the list of many CIOs’ greatest concerns for 2006. That makes a lot of sense considering close to 90% of corporate and consumer computers—if you believe the studies—are infected with some form of these programs.

In its most innocuous form, spyware secretly collects demographic and usage information about a user. But in its more sinister form, spyware and unwanted adware surreptitiously lift a user’s personal information, usually for illicit financial purposes, including identity theft.

Either way, shouldn’t users at least know when spyware or adware is present and then have an opportunity to decide what to do with them?

Fortunately, lawmakers are slowly turning their attention to the issue and its impact on users—the businesses and consumers whom they have pledged to serve. In 2005, four separate anti-spyware/adware bills came up during the last session of the U.S. Congress.

That’s the good news.

The bad news is that the vendors behind these programs have successfully killed every bit of proposed legislation so far.

With pressing issues such as Social Security reform, immigration, government spending, and the threat of avian flu at the forefront last year (not to mention the fact that spyware and adware purveyors won battle after battle in committee) it’s little wonder lawmakers have turned their attention elsewhere.

Worse yet, spyware and adware vendors are also doing their best to keep Internet security solutions providers tangled up in frivolous lawsuits in an attempt to intimidate them from developing and deploying strong anti-spyware technologies.

Meanwhile, businesses and consumers remain at risk. After all, unless information security vendors are able to provide solutions that alert users to the presence of spyware and adware and enable them to remove such programs, then users will simply no longer have a choice.

But CIOs have plenty of options for keeping their enterprises secure. They can also raise awareness among end users about spyware and its dangers, and back it with a solid information security policy.

For most organizations, that means prohibiting the use of freeware or shareware downloaded from the Internet. Such software often contains spyware and adware. In fact, in many cases, spyware and adware are the only reasons for the existence of such “free” software.

However, as 2006 begins, CIOs have one more avenue for reducing the spyware and adware risk, beyond technology and best practices: CIOs can encourage tough but fair legislation at the federal level—legislation that includes so-called “safe-harbor” language.

Such language has been used in a variety of situations in the U.S.—for example, to protect from blame those who try to help someone and fail, or to provide measured protection to contractors who respond to emergencies or disasters.

Safe harbor statutes have also been passed for IT-related issues, including 1998’s Year 2000 Information and Readiness Disclosure Act that limited certain potential liabilities of businesses who made Year 2000 information disclosure statements.

To that end, the Business Software Alliance (BSA) and the Cyber Security Industry Alliance (CSIA) are drafting safe harbor language that, if included in a federal anti-spyware/adware bill, would strengthen computer users’ right to know what programs are on their computers, how they work, and how they can be removed.

When Congress reconvenes in February and anti-spyware/adware bills are reintroduced for consideration, the inclusion of this language will help ensure effectiveness when the bill becomes law.

It makes sense. The verbiage that the BSA and CSIA propose to add protects from liability any information security vendors that, in good faith, remove suspected spyware at the end user’s request. While it does not offer immunity to security firms—nor should it—it does provide a narrow, safe harbor for developers of solutions that enable users to remove spyware and related programs from their computers.

The proposed safe harbor provision already has strong support from a broad collation of Internet security developers and consumer interest groups.

CIOs too are encouraged to keep close tabs on this issue—especially since its outcome will undoubtedly have a significant impact on the security of their corporate information.

Mark Egan is Symantec’s CIO and vice president of IT. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. Egan is author of “Executive Guide to Information Security: Threats, Challenges, and Solutions” from Addison Wesley and was a contributing author to “CIO Wisdom.”